The GitHub Container Registry integration functions differently from Lacework's other container registry integrations. Without subscribing to registry notifications, this integration performs on-demand image assessment via the API. Subscribing to notifications allows Lacework to perform assessments at regular intervals.
Integration setup consists of the following steps:
- Create a container registry integration in the Lacework Console
- (With notifications) Add a webhook in GitHub for registry notification
- (Without notifications) Set up image assessment through the Lacework API
- Whitelist Lacework Outbound IPs
Create a Container Registry Integration in Lacework
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Container Registry.
- Click + Create New.
- From the Registry Type drop-down, select GitHub Container Registry and click Next.
- Complete the required settings.
- If you want to subscribe to registry notifications, select Subscribe to Registry Notifications.
- Click Save.
NOTE: The user must have access to pull the images requested via the API server.
Setting Name | Description |
---|---|
Registry Type | Specify the registry type from the drop-down, in this case, select GitHub Container Registry. |
Name | Specify a unique name for the container registry in the Lacework Console. |
Username | Specify a user that has permissions to pull from the container registry the images to be assessed. |
Password | Specify the GitHub token. To generate a new token, go to your organization and navigate to Settings > Developer settings > Personal access tokens > Generate new token. The required permission is read:packages. |
SSL | Select the checkbox if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If this is unselected, you are using an unencrypted communication channel. |
Registry Domain | Specify a domain using one of these formats: YourIP:YourPort or YourDomain:YourPort |
Limit by Tag (optional) | If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as an AND. Supported field input: mytext*mytext , *mytext , mytext* , or mytext . Only one * wildcard is supported. |
Limit by Label (optional) | If you do not want to assess all images in this registry, specify text from an image label so that only images with matching label text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as an AND. Supported field input: mytext*mytext , *mytext , mytext , or mytext . Only one * wildcard is supported. |
The integration status displays Integration Successful only after its first assessment completes.
Registry Notification
Lacework receives notifications that the registry sends in response to events that happen within the registry, and when Lacework receives manifest push notifications, Lacework performs an assessment.
When the integration subscribes to notifications, you must add a webhook to include the additional information provided by Lacework.
When you create/edit the integration, the following additional information is available: * URL * Authorization Token. This is an integration-specific, long running server token.
The URL and token are available on the Container Registry page. Click the integration name and copy both items from the details pane. The information is required in the next section. Each integration can have one token. If you edit the integration to unsubscribe from notifications and then subscribe again to notifications, Lacework uses the same token.
Add a Webhook to GitHub
If you subscribed to notifications, you must add a webhook to your organization and then add to it the notification listener URL and authorization token.
- In GitHub, navigate to the organization where you want to add a webhook.
NOTE: You must use an organization webhook. Repository webhooks cannot be used. - Select Webhooks.
- Click Add webhook.
- For Payload URL, paste the integration's URL from the Lacework Console, such as:
https://YourLacework.lacework.net/api/v1/external/vulnerabilities/container/webhook/ghcr
- For Content type, select application/json.
- For Secret, paste the integration's authorization token.
- For Which events would you like to trigger this webhook?, choose Let me select individual events.
Then select Package v2s from the list of events. - Select Active.
- Click Add webhook.
Set Up Image Assessment
If you did not subscribe to notifications, you can, for example, make an API call each time an image is built so that Lacework assesses it.
For information about setting up container image assessment, see the Vulnerability API section in the Lacework API documentation.
Whitelist Lacework Outbound IPs
You must whitelist the following Lacework outbound IPs if you want to allow Lacework to communicate with your servers.
35.165.121.10 35.165.83.150 52.43.197.121 34.208.85.38 35.166.181.157 52.88.113.199 44.231.201.69 54.203.18.234 54.213.7.200